Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure Active Directory support for Synapse #259

Merged
merged 11 commits into from
Apr 20, 2022
Merged

Azure Active Directory support for Synapse #259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6877be4
first changes
mosharafMS Dec 8, 2021
4dd9b45
Merge branch 'main' into synapse-aad
mosharafMS Apr 9, 2022
958d5a2
Merge branch 'main' into synapse-aad
mosharafMS Apr 15, 2022
f79dbe2
synapse support for aad auth only
mosharafMS Apr 19, 2022
edd75a7
synapse aad support in test files
mosharafMS Apr 19, 2022
c693395
schema update
mosharafMS Apr 19, 2022
6b504ed
resolving comments
mosharafMS Apr 19, 2022
b7e0d2e
fixing action failure
mosharafMS Apr 19, 2022
0a03911
add synapse dependancy
mosharafMS Apr 19, 2022
f2bab3b
fix the aadLoginName missing in the cmk case
mosharafMS Apr 20, 2022
44dd48a
wait before activation. sqldb akv username
mosharafMS Apr 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
319 changes: 172 additions & 147 deletions azresources/analytics/synapse/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,147 +1,172 @@
// ----------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
//
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// ----------------------------------------------------------------------------------

@description('Location for the deployment.')
param location string = resourceGroup().location

@description('Synapse Analytics name.')
param name string

@description('Key/Value pair of tags.')
param tags object = {}

@description('Synapse Analytics Managed Resource Group Name.')
param managedResourceGroupName string

// ADLS Gen 2
@description('Azure Data Lake Store Gen2 Resource Group Name.')
param adlsResourceGroupName string

@description('Azure Data Lake Store Gen2 Name.')
param adlsName string

@description('Azure Data Lake Store File System Name.')
param adlsFSName string

// Credentials
@description('Synapse Analytics Username.')
@secure()
param synapseUsername string

@description('Synapse Analytics Password.')
@secure()
param synapsePassword string

// Networking
@description('Private Endpoint Subnet Resource Id.')
param privateEndpointSubnetId string

@description('Private DNS Zone Resource Id.')
param synapsePrivateZoneId string

@description('Private DNS Zone Resource Id for Dev.')
param synapseDevPrivateZoneId string

@description('Private DNS Zone Resource Id for Sql.')
param synapseSqlPrivateZoneId string

// SQL Vulnerability Scanning
@description('SQL Vulnerability Scanning - Security Contact email address for alerts.')
param sqlVulnerabilitySecurityContactEmail string

@description('SQL Vulnerability Scanning - Storage Account Resource Group.')
param sqlVulnerabilityLoggingStorageAccounResourceGroupName string

@description('SQL Vulnerability Scanning - Storage Account Name.')
param sqlVulnerabilityLoggingStorageAccountName string

@description('SQL Vulnerability Scanning - Storage Account Path to store the vulnerability scan results.')
param sqlVulnerabilityLoggingStoragePath string

// Deployment Script Identity
@description('Deployment Script Identity Resource Id. This identity is used to execute Azure CLI as part of the deployment.')
param deploymentScriptIdentityId string

// Customer Managed Key
@description('Boolean flag that determines whether to enable Customer Managed Key.')
param useCMK bool

// Azure Key Vault
@description('Azure Key Vault Resource Group Name. Required when useCMK=true.')
param akvResourceGroupName string

@description('Azure Key Vault Name. Required when useCMK=true.')
param akvName string

// Synapse Analytics without Customer Managed Key
module synapseWithoutCMK 'synapse-without-cmk.bicep' = if (!useCMK) {
name: 'deploy-synapse-without-cmk'
params: {
name: name
tags: tags
location: location

adlsResourceGroupName: adlsResourceGroupName
adlsName: adlsName
adlsFSName: adlsFSName

managedResourceGroupName: managedResourceGroupName

synapseUsername: synapseUsername
synapsePassword: synapsePassword

privateEndpointSubnetId: privateEndpointSubnetId
synapsePrivateZoneId: synapsePrivateZoneId
synapseDevPrivateZoneId: synapseDevPrivateZoneId
synapseSqlPrivateZoneId: synapseSqlPrivateZoneId

sqlVulnerabilitySecurityContactEmail: sqlVulnerabilitySecurityContactEmail

sqlVulnerabilityLoggingStorageAccounResourceGroupName: sqlVulnerabilityLoggingStorageAccounResourceGroupName
sqlVulnerabilityLoggingStorageAccountName: sqlVulnerabilityLoggingStorageAccountName
sqlVulnerabilityLoggingStoragePath: sqlVulnerabilityLoggingStoragePath

deploymentScriptIdentityId: deploymentScriptIdentityId
}
}

// Synapse Analytics with Customer Managed Key
module synapseWithCMK 'synapse-with-cmk.bicep' = if (useCMK) {
name: 'deploy-synapse-with-cmk'
params: {
name: name
tags: tags
location: location

adlsResourceGroupName: adlsResourceGroupName
adlsName: adlsName
adlsFSName: adlsFSName

managedResourceGroupName: managedResourceGroupName

synapseUsername: synapseUsername
synapsePassword: synapsePassword

privateEndpointSubnetId: privateEndpointSubnetId
synapsePrivateZoneId: synapsePrivateZoneId
synapseDevPrivateZoneId: synapseDevPrivateZoneId
synapseSqlPrivateZoneId: synapseSqlPrivateZoneId

sqlVulnerabilitySecurityContactEmail: sqlVulnerabilitySecurityContactEmail

sqlVulnerabilityLoggingStorageAccounResourceGroupName: sqlVulnerabilityLoggingStorageAccounResourceGroupName
sqlVulnerabilityLoggingStorageAccountName: sqlVulnerabilityLoggingStorageAccountName
sqlVulnerabilityLoggingStoragePath: sqlVulnerabilityLoggingStoragePath

deploymentScriptIdentityId: deploymentScriptIdentityId

akvResourceGroupName: akvResourceGroupName
akvName: akvName
}
}
// ----------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
//
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// ----------------------------------------------------------------------------------

@description('Location for the deployment.')
param location string = resourceGroup().location

@description('Synapse Analytics name.')
param name string

@description('Key/Value pair of tags.')
param tags object = {}

@description('Synapse Analytics Managed Resource Group Name.')
param managedResourceGroupName string

// ADLS Gen 2
@description('Azure Data Lake Store Gen2 Resource Group Name.')
param adlsResourceGroupName string

@description('Azure Data Lake Store Gen2 Name.')
param adlsName string

@description('Azure Data Lake Store File System Name.')
param adlsFSName string

// Credentials
@description('use Azure AD only authentication or mix of both AAD and SQL authentication')
param aadAuthenticationOnly bool

@description('Azure AD principal name, in the format of firstname last name')
param aadLoginName string =''

@description('AAD account object id')
param aadLoginObjectID string=''

@description('AAD account type with options User, Group, Application. Default: Group')
@allowed([
'User'
'Group'
'Application'
])
param aadLoginType string = 'Group'

@description('Synapse Analytics Username.')
@secure()
param sqlAuthenticationUsername string

@description('Synapse Analytics Password.')
@secure()
param sqlAuthenticationPassword string

// Networking
@description('Private Endpoint Subnet Resource Id.')
param privateEndpointSubnetId string

@description('Private DNS Zone Resource Id.')
param synapsePrivateZoneId string

@description('Private DNS Zone Resource Id for Dev.')
param synapseDevPrivateZoneId string

@description('Private DNS Zone Resource Id for Sql.')
param synapseSqlPrivateZoneId string

// SQL Vulnerability Scanning
@description('SQL Vulnerability Scanning - Security Contact email address for alerts.')
param sqlVulnerabilitySecurityContactEmail string

@description('SQL Vulnerability Scanning - Storage Account Resource Group.')
param sqlVulnerabilityLoggingStorageAccounResourceGroupName string

@description('SQL Vulnerability Scanning - Storage Account Name.')
param sqlVulnerabilityLoggingStorageAccountName string

@description('SQL Vulnerability Scanning - Storage Account Path to store the vulnerability scan results.')
param sqlVulnerabilityLoggingStoragePath string

// Deployment Script Identity
@description('Deployment Script Identity Resource Id. This identity is used to execute Azure CLI as part of the deployment.')
param deploymentScriptIdentityId string

// Customer Managed Key
@description('Boolean flag that determines whether to enable Customer Managed Key.')
param useCMK bool

// Azure Key Vault
@description('Azure Key Vault Resource Group Name. Required when useCMK=true.')
param akvResourceGroupName string

@description('Azure Key Vault Name. Required when useCMK=true.')
param akvName string

// Synapse Analytics without Customer Managed Key
module synapseWithoutCMK 'synapse-without-cmk.bicep' = if (!useCMK) {
name: 'deploy-synapse-without-cmk'
params: {
name: name
tags: tags
location: location

adlsResourceGroupName: adlsResourceGroupName
adlsName: adlsName
adlsFSName: adlsFSName

managedResourceGroupName: managedResourceGroupName

aadAuthenticationOnly: aadAuthenticationOnly
aadLoginName: aadLoginName
aadLoginObjectID: aadLoginObjectID
aadLoginType: aadLoginType
sqlAuthenticationUsername: sqlAuthenticationUsername
sqlAuthenticationPassword: sqlAuthenticationPassword

privateEndpointSubnetId: privateEndpointSubnetId
synapsePrivateZoneId: synapsePrivateZoneId
synapseDevPrivateZoneId: synapseDevPrivateZoneId
synapseSqlPrivateZoneId: synapseSqlPrivateZoneId

sqlVulnerabilitySecurityContactEmail: sqlVulnerabilitySecurityContactEmail

sqlVulnerabilityLoggingStorageAccounResourceGroupName: sqlVulnerabilityLoggingStorageAccounResourceGroupName
sqlVulnerabilityLoggingStorageAccountName: sqlVulnerabilityLoggingStorageAccountName
sqlVulnerabilityLoggingStoragePath: sqlVulnerabilityLoggingStoragePath

deploymentScriptIdentityId: deploymentScriptIdentityId
}
}

// Synapse Analytics with Customer Managed Key
module synapseWithCMK 'synapse-with-cmk.bicep' = if (useCMK) {
name: 'deploy-synapse-with-cmk'
params: {
name: name
tags: tags
location: location

adlsResourceGroupName: adlsResourceGroupName
adlsName: adlsName
adlsFSName: adlsFSName

managedResourceGroupName: managedResourceGroupName

aadAuthenticationOnly: aadAuthenticationOnly
aadLoginName: aadLoginName
aadLoginObjectID: aadLoginObjectID
aadLoginType: aadLoginType
sqlAuthenticationUsername: sqlAuthenticationUsername
sqlAuthenticationPassword: sqlAuthenticationPassword

privateEndpointSubnetId: privateEndpointSubnetId
synapsePrivateZoneId: synapsePrivateZoneId
synapseDevPrivateZoneId: synapseDevPrivateZoneId
synapseSqlPrivateZoneId: synapseSqlPrivateZoneId

sqlVulnerabilitySecurityContactEmail: sqlVulnerabilitySecurityContactEmail

sqlVulnerabilityLoggingStorageAccounResourceGroupName: sqlVulnerabilityLoggingStorageAccounResourceGroupName
sqlVulnerabilityLoggingStorageAccountName: sqlVulnerabilityLoggingStorageAccountName
sqlVulnerabilityLoggingStoragePath: sqlVulnerabilityLoggingStoragePath

deploymentScriptIdentityId: deploymentScriptIdentityId

akvResourceGroupName: akvResourceGroupName
akvName: akvName
}
}
Loading